ghsa-33f4-mjch-7fpr
Vulnerability from github
Published
2025-10-10 22:53
Modified
2025-10-23 20:35
Severity ?
4.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Summary
Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret
Details

A vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret:

https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59

The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. While Reviewbot is not commonly enabled in standard Allstar setups, we are issuing this advisory to reach any environments where it may have been deployed.

Affected Versions

All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. If you have not enabled or exposed the Reviewbot endpoint, this issue does not apply to your installation.

Impact

If the Reviewbot endpoint is deployed and reachable, an attacker can bypass authentication by crafting webhook requests that use the known, hard-coded secret. Because signature verification will succeed, Reviewbot would treat these requests as authentic when they should be rejected. Depending on the permissions and automations attached to your deployment, this could allow unauthorized triggering of review actions such as posting automated comments or reviews, influencing checks, or otherwise manipulating repository signals. The primary risk is to the integrity of repository workflows rather than confidentiality or availability, although secondary effects (e.g., noisy automation, misleading reviews, or workflow disruptions) are possible.

Exploitability

Exploiting this is straightforward and does not require an attacker to be authenticated. Anyone who can send requests to the Reviewbot webhook can reach the vulnerable code.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ossf/allstar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250721181116-e004ecb540d6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T22:53:42Z",
    "nvd_published_at": "2025-10-09T22:15:32Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Allstar\u2019s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret:\n\nhttps://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59\n\nThe value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. While Reviewbot is not commonly enabled in standard Allstar setups, we are issuing this advisory to reach any environments where it may have been deployed.\n\n## Affected Versions\n\nAll Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. If you have not enabled or exposed the Reviewbot endpoint, this issue does not apply to your installation.\n\n## Impact\n\nIf the Reviewbot endpoint is deployed and reachable, an attacker can bypass authentication by crafting webhook requests that use the known, hard-coded secret. Because signature verification will succeed, Reviewbot would treat these requests as authentic when they should be rejected. Depending on the permissions and automations attached to your deployment, this could allow unauthorized triggering of review actions such as posting automated comments or reviews, influencing checks, or otherwise manipulating repository signals. The primary risk is to the integrity of repository workflows rather than confidentiality or availability, although secondary effects (e.g., noisy automation, misleading reviews, or workflow disruptions) are possible.\n\n## Exploitability\n\nExploiting this is straightforward and does not require an attacker to be authenticated. Anyone who can send requests to the Reviewbot webhook can reach the vulnerable code.",
  "id": "GHSA-33f4-mjch-7fpr",
  "modified": "2025-10-23T20:35:27Z",
  "published": "2025-10-10T22:53:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ossf/allstar/security/advisories/GHSA-33f4-mjch-7fpr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61926"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ossf/allstar/pull/713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ossf/allstar/commit/e004ecb540d63ca6f5b1689b41af6c0040a82c73"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ossf/allstar"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.